There’s no blanket diploma program or global agency regulating who is and isn’t an MSSP. What may be a shocking disadvantage to the consumer when it comes to vetting service providers, is a definite benefit to those looking to capitalize on this growing opportunity. If you’re looking to designate yourself as an MSSP, the barrier for entry is at the floor.
The challenge, of course, is revealed when you consider the customer’s evaluation process. There is no room for error in cybersecurity, and a significant level of trust is placed in the service provider. As you likely know, trust is built up over time, and for an MSSP, this is established through your maturity and track record as a security services provider. This is where certifications prove their value. They not only build out your expertise and abilities, but also demonstrate to the customer that you have the expertise.
If you’re establishing cybersecurity measures for a client, you need to ensure your house is order. Experiencing a cyber breach yourself is not a good look if you’re promoting yourself as an MSSP. There are two primary gold standard certifications for having your security standards vetted. SOC2 and ISO 27001 are third-party certifications that are a key indicator of your maturity and the security standards to which you hold your business. Unfortunately, these certifications are likely unreasonable for a modestly sized MSSP to pursue. There are stringent requirements for demonstrating you meet the established standard of security, and a significant financial investment that covers the cost of third-party accreditation.
Then what certification are attainable and worth the effort?
Some countries are more advanced with regard to setting up a framework and resources for cybersecurity. For example in the UK the National Cyber Security Centre has established a web portal called Cyber Essentials that functions as a centralized hub for advice, certification options, and for determining if an organization you’re working with is certified under their framework. If you operate in a region that’s slightly further behind the UK, there are globally-recognized certifications that you may want to consider for yourself and your workforce.
This certification is offered by (ISC)2 and the comprehensive training covers vital areas of knowledge such as security and risk management, asset security, security architecture and engineering, communication and network security, identity and access management, security assessment and testing, security operations, and software development security. This certification covers a lot of ground and consequently doesn’t provide the depth of knowledge that might be desired. That said, it’s a starting point, and a certification that’s recognized and perhaps necessary.
This certification goes deeper into the weeds but still, on the spectrum of technicality, is relatively base level. In broad terms, content pertains to incident handling and computer crime investigation, computer and network hacker exploits, and hacker tools (Nmap, Nessus, Metasploit and Netcat). Examinations are only available to those in the US and Canada.
There are a slew of other certifications that you can secure. To name a few:
Whether these certifications make sense for you and your organization is for you to decide. What certifications are valued in the region where you operate? What specific cybersecurity services are you going to offer? What cybersecurity measures does your existing client base need? Are your competitors marketing their security credentials or not? These are the questions you need to consider.
No matter if you’re considering whether to pursue the MSSP opportunity or not, IT Glue’s award-winning documentation platform will be there to support you. Our platform allows for the efficient storage and retrieval of all the documentation you need to help managed service providers increase efficiency. Watch a demo today!